Is it possible to have different identity providers for each client on a realm or the identity providers are only realm-dependant? I would like for example to have github identity provider for one client and ldap for another, on the same realm, I have looked through the docs and the management console but no luck, before trying another thing just wanted to check im not mistaken.
Got the answer from the keycloak people, it is not possible to have client-dependant identity providers, so I need to create 2 realms for this.
Related
I am trying to integrate a legacy OAuth 2.0 provider which does not support OpenID Connect 1.0 as identity provider on Keycloak.
This legacy provider provides a xml service that returns the user details similar to userinfo.
I see that Keycloak has the concept of social providers but I can’t find any resources of how to implement and register on GUI a new one.
Here is the part of the documentation in Keycloak that is referring to this sort of providers: Identity Brokering APIs.
I also suggest you to take a look at the source code of some custom providers implemented as Keycloak extensions. That can be quite helpful.
Implementing a custom identity provider is typically not a straightforward task and there will be a lot of edge cases and unpredictable scenarios. If your Keycloak server can have access to the database of your identity provider (e.g. via a readonly view) then it would be much easier to just implement a custom UserStorageProvider that fetches users for Keycloak. All the other stuff will be handled by Keycloak itself. Then you can also have some custom mappers that fetch those user attributes and allowing you to put them inside tokens.
Please help. I'm aware there are several posts / docs about SSO implementations but I still can't seem to find one that addresses my use case - probably because I'm still new to SSO implementation.
Scenario:
I have an existing Symfony 4 application with existing users. I want so that when users log into the app, they are automatically signed into Outlook Office 365 (web). Exactly the same implementations on https://mysso.centennialcollege.ca/. Please NOTE I do not want office 365 to authorize my app using the code flow approach, rather I want office 365 to recognize users signed into my app as valid identities.
Has anyone implemented this or has ideas please?
Your question is a bit unclear. You're likely going to need to change the existing application in some manner in order to achieve true single sign-on. You'll need to ensure that authentication against the Symphony app leads to the presence of a session that can be used to trigger subsequent sessions in a SSO framework supported by O365.
In your case, I'd take a look at SAML and, more specifically, SimpleSAMLphp.
Are you affiliated with the organization you linked to in some way? Because just by looking at the login page that looks like they've already got some sort of SAML Identity Provider solution... you can just integrate your Symphony app with that IdP in that case, and correlate the principal returned to your SP application from the SAML assertion on successful authentication against the user data in your existing DB. You wouldn't have to use SSP in that case... any kind of SAML middleware would work.
Hi I'm pretty new with Keycloak and I don't understand some basic things about authorization. I have a REST API that exposes some resources and I want the users to have different roles depending on that resources. For example: I have users, cars and two roles (roleA, roleB). I want to assign roleA to userA for carA. Can I do this in Keycloak? How?
Thanks!
Yes, That can be done. This can be easily done via the admin console of KEYCLOAK.
Create a realm
Create a client in the realm for your application
Create roles (either realm roles or client roles)
Create resources
Create role based policies by selecting the relevant role
Create permissions by associating the created resources and the created policies
The question is a bit vague, but yes, you can do this in Keycloak.
Out of the box, Keycloak supports users and roles. It provides apis and UIs to manage these. If your app is configured to use Keycloak as a source of identity, you can access Keycloak user and role information in your app.
I'm not totally clear on how your "car" concept relates to users and roles, or where you want to manage it. But you have a couple of options:
Turn your app into an OAuth resource server and have Keycloak provide identity information via tokens. Do your cars business logic in your app. You'll want to read up on how OAuth works if you're not familiar with it.
It is possible to extend Keycloak to add custom domain objects, such as Car. More on how to do that here.
Currently my organization uses a number of web apps/mobile apps/APIs, some of which authenticate against an in-house IdP and others which use a third-party proprietary system (over which we have no control).
We have been asked to implement SSO for these web applications and as a result I have been reading up on OpenID Connect. I believe this would be a better solution than SAML given that (a) end-users are not always enterprise users, and (b) SAML not designed for mobile applications.
I believe I understand the flow reasonably well but have one sticking point. To allow users to authenticate using an external IdP, we would need to map the user back to our internal id. For example, user authenticates using OIDC/Google, resulting in us receiving the user's unique Google idenitifer (and email etc if we queried further), but this is not useful to us until we can map the Google identifier back to our internal customer id.
Is this mapping out of scope for OIDC? If so, is there a best-practice method for doing this? I'm sure we are not alone in this requirement...
Thanks,
John
Is this mapping out of scope for OIDC?
Short answer, yes.! If your backend require a comparison/validation with internal identity details, then it has to be done out-of-scope of OpenID Connect(OIDC) protocol. OIDC simply define the process of obtaining tokens (ID and access token), which are required for authentication and authorization.
is there a best-practice method for doing this?
One option is to use out of band directory synchronization. For example, Google provider Google Cloud Directory Sync (GCDS), which allows you to synchronize identity details to LDAP or MS Active directory. Other alternative is to use SCIM protocol to communicate and provision users dynamically. For example Google provide that support as well.
Alternatively, you can use just-in-time provision at the time you receive tokens. This support will depend on your identity provider implementation. For example, WSO2 identity server support both JIT provisioning as well as SCIM.
I am evaluating SSO solutions and am currently looking at OpenAM and JOSSO2
I am -extremely- new to SSO, OpenAM, JOSSO2 and am just now trying to learn what I need to learn.
My application will need to be able to authenticate users against at least two different identity stores.
A local Database Store (Oracle, and to begin just a simple user/pass)
Active Directory (with x.509 two-factor authentication requirement)
There are two classes of users, which would authentication against one or the other (and NEVER both).
It is possible to setup OpenAM or JOSSO2 to be able to handle such a scenario? In a previous job (life) I worked on a system that used JOSSO_1_ to accomplish this, but I am hoping for a more refined approach (e.g. less custom code) to this current product.
Identity stores are different from 'source of authentication' in OpenAM.
OpenAM offers a wide range of different authentication modules and also allows to use JDBC or LDAP as an implementation of a user data store.
Furthermore authentication as well as data store API is extendable, allowing to plug in your specific implementation if needed.